Digital Signatures and RSA Certificates
Digital signatures provide the same functionality as handwritten signatures. Specifically, they are a mathematical technique used to provide three basic security services: authenticates a source, proving that a certain party has seen and signed the data in question; guarantees that the data has not changed from the time it was signed; proves to a third party that the data exchange did take place.
Digital signatures are commonly used in code signing (to verify the integrity of downloaded files) and digital certificates (to verify the identity of an organization or individual). The basic four properties of digital signatures are that (1) the signature is authentic, (2) the signature is not forgeable, (3) the signature is not reusable, and (4) the signer cannot claim later that they did not sign it.
Digital certificates are used to authenticate and verify that a user sending a message is who they claim to be. Figure 29-6 shows how an RSA digital certificate or signature is used. RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures. In this scenario, Bob is confirming an order with Alice. The steps are as follows:
Bob makes a hash, or fingerprint, of the document, which uniquely identifies the document and all its contents.
Bob encrypts the hash with only the private key of the signer (i.e., Bob’s private key).
The encrypted hash, which is known as the signature, is appended to the document.
Alice obtains Bob’s public key.
Alice decrypts the signature using Bob’s public key. This step reveals the hash value initially calculated by Bob.
Alice makes a hash of the received document, without its signature, and compares this hash to the decrypted signature hash sent by Bob. If the hashes match, the document is authentic. The match means that the document has been signed by Bob and has not changed since it was signed.
)
Figure 29-6 Using RSA Digital Signatures